CentOS 7 selinux policy bug

Daniel J Walsh dwalsh at redhat.com
Fri May 29 19:41:03 UTC 2015 

On 05/29/2015 01:03 PM, m.roth at 5-cent.us wrote:
> Daniel J Walsh wrote:
>> On 05/29/2015 09:20 AM, m.roth at 5-cent.us wrote:
>>>    CentOS 7.1. Selinux policy, and targetted, updated two days ago.
>>>
>>> May 28 17:02:41 <servername> python: SELinux is preventing /usr/bin/bash
>>> from execute access on the file /usr/bin/bash.#012#012***** <...>
>>> May 28 17:02:45 <servername> python: SELinux is preventing /usr/bin/bash
>>> from execute access on the file /usr/bin/uname.#012#012*****  <...>
>>> May 28 17:02:45 <servername> python: SELinux is preventing
>>> /usr/bin/uname
>>> from execute_no_trans access on the file /usr/bin/uname.#012#012*****
>>> <...>
>>> May 28 17:02:47 <servername> python: SELinux is preventing /usr/bin/bash
>>> from execute access on the file /usr/bin/mailx.#012#012*****  <...>
>>>
>>> I did do an ll =Z /usr/bin, and everything looks correct
>>> (system_u:object_r:bin_t:s0). Given that, looks to me like a policy bug.
>>> No? Yes? File a bug report?
>> What is the avc that you are seeing?
>>
>> ausearch -m avc -ts recent
> Hmmm, that ausearch gives no matches. However, in /var/log/audit/audit.log
> type=AVC msg=audit(1432846954.621:112734): avc:  denied  { execute } for 
> pid=1984 comm="rsync" name="bash" dev="sda3" ino=23075548
> scontext=system_u:system_r:rsync_t:s0
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
> type=AVC msg=audit(1432846954.628:112735): avc:  denied  { execute } for 
> pid=1987 comm="sh" name="uname" dev="sda3" ino=23071676
> scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:bin_t:s0
> tclass=file
> type=AVC msg=audit(1432846954.629:112737): avc:  denied  { execute } for 
> pid=1986 comm="sh" name="mailx" dev="sda3" ino=23072424
> scontext=system_u:system_r:rsync_t:s0
> tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
>
> Now, my manager thinks that it's complaining that it's complaining because
> we have an rsync daemon running, and every time there's an upload, the
> daemon sends an email to a user.
>
>       mark
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Is the rsync set up as a client or server?  Does it copy off or copy too?

More information about the selinux mailing list